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Amendments to the Claims; 

This listing of claims will replace a)J prior versions, and listings, of claims in the application: 
Listing of Claims: 

1. (cancelled) 

2. (currently amended): A method according to claim + 6 wherein: 

the response message has a header portion and a content portion and the response 
message contains the access control information and a network device identifier for the another 
network device embedded within its content portion; 

the second message has a header portion and a content portion and the second message 
contains the at least part of the access control information embedded within its content portion. 

3. (currently amended): A method according to claim + 6 wherein: 

the first message has a header portion and a content portion, and the access control 
information is contained in the header portion, the method further comprising extracting the 
access control informarion from the header portion for use in the response message. 

4. (currently amended): A method according to claim 4- 6 wherein: 

the first message has a header portion and a content portion, and the access control 
information is contained in the content portion, the method further comprising extracting the 
access control infomiation from the content portion for use in the response message, 

5. (original): A method according to claim 2 wherein a hidden content is used in the response 
message to contain the access control information. 

6. (currently amended): A m e thod^ooordine to claim 1 - furth e r ^ oomnriGing - A method of 
conveying access control information from one network device to another network device on a 
different domain through an end user device comprising: 

the one network device in response to a first message received from the end user 

2 

PAGE4/16* R(afD AT S/1S/2005 3:41:58 PM [Eastern DayDght 



SEP- 19-2005 15:39 FROM: 



61:^328440 



TO:LBPTQ 



P. 5 



ApplNo. 09/603,356 

device containing access control intomiation. sending a response message to the end user device 
containing the access eontrol Information, the response massage being adaoted to cause the end 
user device to send a second message to the another network device containing at least part of 
the access control information: and 

presenting an option to the end user device to send the second message or not^ 

wherein^at least part of the access control information is used to control access to a 
protected resource on at least one of the first and second network devices , 

7. (original): A method according to claim 2 wherein the response message *s content portion is 
formatted as a custom content type. 

8. (original): A method according to claim 2 wherein at least part of the content portion of the 
response message is protected by cryptographic means. 

9. (currently amended): A method according to claim + 6 wherein the first message is an HTTP 
Request message^ and the response message is an HTTP Response message. 

10. (currently amended): A method according to claim ^ 6 wherein the access control 
information is a cookie. 

1 1 . (cancelled) 

12. (currently amended): A method aocording to olaim 1 1 further oompri&ing A method of 
conyeYinRaccess conti^ol informatjoq fj:om one network; device tq pother qgtwQr^q (tevip^ Qn a 
different domain through an end user device comprising: 

the one network device in response to a first message received from the end user_deyjce 
containing access eontrol information, sending a response message to the end user device 
containing the access control information, the response message being adapted.to cause_the_end 
user device to send a second message to the another network device containing at least part of 
the access control information: 

containing user-s7?ecific information in the response message together with instructions to 
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mclude at least part of the user-specific inforniation in the second message: and 

presenting an option to the end user device to change and/or delete any of the user- 
specific information before sending the message to the another network device^ 

wherein at least part of the access control information is used to control access to a 
protected resource on at least one of the first and second network devices , 

13. (currently amended): A method according to claim 4- 18 wherein the one network device is 
an initial network device accessed by the an end user device, the method further comprising: 

prior to sending the response message, 

a) the initial network device receiving an initial access request from the end 
user device to access a protected resource on the initial network device; 

b) the initial network device performing an authentication process to 
determine if access should be granted and if so, responding with an access response message 
specifying the access control information in association with the first network domain of the 
initial network d e vic e and causing the end user device to send the input first message; and 

on an ongoing basis after performing the authentication process allowing subsequent 
access to the protected resource to requests containing the access control information, 

14. (currently amended): A method according to claim 13 further comprising: 

containing user-specific information in the response message together with instructions to 
include at least part of the user-specific information in the subsequent s e cond message. 

15. (original): A method according to claim 14 wherein the user-specific information comprises 
at least one of purchase enabling information and personal data, 

16. (currently amended): A method according to cloim-lS-fiirthciKwmDFising A method of 
conveying access control information from one netv^ork device to another network device on a 
different domain through an end user device comprising: 
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the one network device in response to a first message received from the end user_de_vicc 

containing access control mfomnation, sending a response message to the end user device 
containint; the access cont rol information, the response message being adat^ted to cause the end 
user device to send a second message to the another network device containing at least part of 
the access control information: 

containing user^specific information in the response message together with instructions to 
include at least part of the user-specific information in the second message: and 

requiring user acceptance before including the at least part of the user-specific 
mformation in the second message^ 

wherein at least part of the access control information is used to control access to a 
protected resource on at least one of the first and second network devices , 

17. (original): A method according to claim 14 wherein at least part of the user-specific 
information is protected by cryptographic means. 

18. (original): A network device implemented method comprising: 

a) a network device on a first network domain receiving an input message having a 
header portion and a content poition, v^th the input message containing an access control 
information embedded within the content portion; 

b) the network device responding with a response message having a header portion 
and a content portion, with the response message containing the access control information in the 
header portion and having a content portion containing the access control information and also 
containing instructions to send a subsequent message to another network device on a different 
network domain, the subsequent message having a content portion containing at least part of the 
access control infoimation. 
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19. (original); A method according to claim 18 wherein the another network device is specified 
in the input message. 

20. (original): A method according to claim 18 wherein the another network device is specified 
by the network device, 

2 1 . (original): A network device implemented method comprising: 

the network device responding to an initial access request with a redirect message 
instructing a fedkection to a MDSSO (multi-domain single sign-on) function on the network 
device, the redirect message also specifying an access control information in a header o f the 
redirect message; 

the MDSSO function receiving an input message having a header portion and a content 
portion, with the input message containing the access control information embedded within the 
header portion; 

the MDSSO function responding with a response message having a header portion and a 
content portion, with the response message containing the access control information in the 
header portion and having the content portion containing the access control information and also 
containing instructions to send a subsequent message to another network device on a different 
network domain, the subsequent message having a content portion containing at least part of the 
access control information, 

22. (original): A method according to claim 21 ftuther comprising performing an audicnticatron 
process to determine if access should be granted, and if so responding to the initial access 
request message with the redirect message, and if not rejecting the initial access request. 

23. (original): A network device comprisuig an authentication front end and an MDSSO 
function, the network device being adapted to provide initial network device functionality upon 
receipt of a i^uest message contaming access control information only in a header portion, and 
adapted to provide non-initial network device functionality upon receipt of a request message 
containing access control information in both a header portion and a content portion; 
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wherein in providing the initial network device functionality: 

a) the authentication front end is adapted to process an initial access request 
message from an end user device to access a protected resource on the network device by 
performing an authentication process to determine if access should be granted and if so, 
responding with an access response message specifying an access control information in 
association with the domain of the network device and causing the end user device to send a first 
request message to an MDSSO (multiple domain single sign-on) function on the network device 
specifying the access control information in a header portion of the first request message; 

b) the MDSSO function is adapted to process a request message directed to it 
containing access control information only in a header portion by extracting the access control 
information from the header portion and sending to the end'user device a response message 
containing the access control information in a header portion and having a content portion 
containing the access conlrol information and also containing instructions to send a subsequent 
request message to another network device on a different network domain, the subsequent 
message having a content portion containing the at least part of access control information; 

wherein in providing non-initial network device functionality: 

c) the MDSSO function is adapted to process a request message directed to it 
containing access control information in a content portion by extracting the access control 
information from the content and sending to the end-user device a response message containing 
the access control information in a header portion and having a content portion containing the 
access control information and also containing instructions to send a subsequent message to 
another network device on a different network domain, the subsequent message having a content 
portion containing at least part of the access control information. 

24. (currently amended): A network device adapted to implement the method of claim 4- 6, 

25. (original): A network device adapted to implement the method of claim 1 8, 

26. (currently amended); An article of manufacture comprising: 
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a computer usable medium having computer readable program code means 
embodied therein for implementing the method of clahn 4- 6, 

27. (originaO: A multiple domain single sign-on system comprising a plurality of network 
devices according to claim 23, 

28. (original): The system of claim 27 wherein each of the plurality of network devices 
identifies a respective another network devices in the plurality of network devices. 

29. (original): The system of claim 27 wherein each response message identities all remaining 
unvisited network devices in the plurality of network devices. 

30. (original): The system of claim 27 wherein each response message identifies all the network 
devices in the plurality of network devices. 

31. (currently amended): An article of manufacture comprising: 

a computer usable medium having computer readable program code means embodied 
therein for implementing a multiple domain single sign^'on function^ the con^utcr readable code 
means in the article of manufacture comprising: 

first computer readable code means adapted to receive in a first domain a first request 
message from a remote device , the first request message having a header portion and a content 
portion and containing an access control information embedded within the content portion, and 
to generate a response message having a header portion and a content portion, the header t>ortion 
containing the access cont[;ol information and the content portion containing the access control 
infomiation and also containing instructions causing the remote device to access a network 
address in a different domain specified in the content portion with a subsequent message 
containing at least part 'Of the access control information. 

32* (original): An article of manufacture according to claim 31 further comprising: 

second computer readable code means adapted to receive an access request message from 
the remote device, to perform authentication, and to send instructions to the remote device to 
send the first request message to the first computer readable code means. 
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33. (original): An article of tnanufacture according to claim 32 wherein the access control 
information is generated by the second computer readable code means, sent to the remote device 
Mvith the instructions, and then received by the first computer readable code means in the first 
request message. 

34. (currently amended): A computer data signal embodied m a transmission medium 
comprising: 

a first source code segment adapted to receive at a first domain a first request 
message from a remote devic e, the first request message having a header iwrtion and a content 
portion and containing an access control mfonnation embedded within the content portion^ and 
to generate a response message having a header portion and a content portion^ ^e header portion 
containing the access control information and the content portion containing the access control 
information and also containing instructions to the remote device to access a network address at 
a different domain specified in the content portion with a subsequent message containing at least 
part of the access control information. 

35. (original): A method of conveying user-specific in&rmation fi'om one network device to 
another network device on a diftcrent domain through an end user device comprising: 

the one network device in response to a first message received from the end user device 
containing user-specific information, sending a response message to the end user device 
containing the user-specific information, the response message being adapted to cause the end 
user device to send a second message to the another network device containing at least part of 
the user-specific information after presenting an option to the end user device to change and/or 
delete any of the user-specific information; 

wherein the response message has .a header portion and a content portion and the 
response message contains the user-specific information and a network device identifier for the 
another network device embedded within its content portion; 

the second message bas a header portion and a content portion and the second 
message contains the at least part of the user-specific information embedded within its content 
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